FBI warns of China-related wire transfer fraud

Small and medium-size businesses in the U.S. lost more than $11 million over the past year in online scams in which stolen banking credentials were used in fraudulent wire transfers to companies in China, the FBI said.

There were 20 such incidents between March 2010 and April 2011, affecting companies and public institutions in the U.S. that tend to have accounts at local community banks and credit unions, some of which use third-party service providers for online banking services, according to the agency. The amounts transferred at any one time ranged from tens of thousands of dollars to nearly $1 million.

In most cases the criminals managed to compromise the computer of someone within a target company who could initiate funds transfers, according to a fraud alert issued by the FBI this week (PDF). The victim either receives a phishing e-mail designed to trick the recipient into revealing online banking credentials or into visiting a Web site hosting malware that steals the information from the computer.

When the victims try to log in to the bank site, they're redirected to a page saying the site is under maintenance while the criminals use the stolen log-in information to transfer money to a U.S. bank. The money is then transferred to a bank account owned by one of a number of "economic and trade companies" located in the Heilongjiang province in China and immediately withdrawn or transferred again, the FBI said.

"It is unknown who is behind these unauthorized transfers, if the Chinese accounts were the final transfer destination, or if the funds were transferred elsewhere, or why the legitimate companies received the unauthorized funds," the FBI alert says.

In addition to the unauthorized wire transfers, criminals also were found to be sending domestic Automated Clearing House and wire transfers to money mules in the U.S. within minutes of the overseas transfers, according to the agency. It's unclear where that money ends up.

The data stealing malware used in the fraud includes Zeus, Backdoor.bot, and Spybot. Zeus can steal multifactor authentication tokens and enable criminals to log in to accounts with username, password, and token ID during a user log-in session. Backdoor.bot has a worm, downloader, and keylogger and offers remote access to compromised computers. And Spybot is an IRC (Internet Relay Chat) backdoor Trojan that runs in the background and opens a back door to the compromised computer.